automatic synthesis of fault tolerance n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Automatic Synthesis of Fault-Tolerance PowerPoint Presentation
Download Presentation
Automatic Synthesis of Fault-Tolerance

Loading in 2 Seconds...

play fullscreen
1 / 43

Automatic Synthesis of Fault-Tolerance - PowerPoint PPT Presentation


  • 500 Views
  • Uploaded on

Automatic Synthesis of Fault-Tolerance. Ali Ebnenasir Software Engineering and Network Systems Laboratory Computer Science and Engineering Department Michigan State University Advisor: Dr. Sandeep Kulkarni. Problem. Given a program p and a class of faults f,

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Automatic Synthesis of Fault-Tolerance' - lotus


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
automatic synthesis of fault tolerance

Automatic Synthesis of Fault-Tolerance

Ali Ebnenasir

Software Engineering and Network Systems Laboratory

Computer Science and Engineering Department

Michigan State University

Advisor: Dr. Sandeep Kulkarni

problem
Problem
  • Given a program p and a class of faults f,

Question: How do we add desired fault-tolerance properties to p in order to create a new program p’ such that:

Requirements:

        • In the absence of f, the resulting fault-tolerant program p’ behaves similar to p
        • In the presence of f, the resulting fault-tolerant program p’ satisfies the desired fault-tolerance property.
solution strategies
Solution Strategies
  • Two possible approaches
    • Redesign p’ and verify its correctness w.r.t problem requirements
      • Expensive approach
    • Automatically synthesizep’ from p
      • Correct by construction
synthesis specification based
Synthesis: Specification-Based

Specification of p

(Temporal Logic Expressions/

Automata)

Synthesis Algorithm

(prove the satisfiability

of the specification)

Fault-tolerance

requirements

(Temporal Logic Expressions)

Faults

Fault-tolerant program p’

Program synthesis:Fault-Tolerance synthesis:

[EmersonClarke 1982] [AroraAttieEmerson 1998]

[AttieEmerson 2001]

[KupfermannVardi 2001]

synthesis calculational
Synthesis: Calculational

Fault-intolerant program p

(Transitions)

Synthesis Algorithm

(Calculate the set of transitions)

Fault-tolerance

requirements

Faults

(Transitions)

Fault-tolerant program p’

(Transitions)

[KulkarniArora 2000]

[KulkarniAroraChippada 2001]

the complexity of calculational synthesis
The Complexity of Calculational Synthesis
  • High atomicity model: processes can atomically read/write all program variables
    • Polynomial in the state space of the fault-intolerant program p [KA00]
  • Low atomicity model (distributed programs): processes have read/write restrictions with respect to program variables
    • Exponential in the state space of the fault-intolerant program p for synthesizing masking fault-tolerance[KA00]
  • Propose techniques for the synthesis of fault-tolerant distributed programs

[KA00] S.S. Kulkarni and A. Arora, Automating the addition of fault-tolerance, FTRTFT 2000.

outline
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • Step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
preliminary concepts programs and faults

X

p

Preliminary Concepts:Programs and Faults
  • Program
    • Finite number of variables with finite domains
    • Finite number of processes
  • State: a valuation of program variables
  • Finite state space Sp
  • State predicate X X Sp
  • Program p, Fault f { (s0, s1) | (s0, s1)  Sp Sp }
  • Closure: X is closed in p

Sp

preliminary concepts specifications and fault tolerance

T

S

f

p/f

p

Preliminary Concepts:Specifications and Fault-Tolerance
  • Safety specification: something badnever happens
    • Representation { (s0, s1) | (s0, s1)  Sp Sp }
      • E.g., transitions that change the value of a counter from non-zero

values to zero

  • Liveness specification: something goodwill eventually happen
    • In the absence of faults, fault-tolerant program p’ satisfies the liveness specification of the fault-intolerant program p
  • Invariant S, fault-span T Sp
  • Fault-tolerance: Failsafe, Nonmasking, Masking

Sp

Program

Fault

preliminary concepts distribution model

a=1,b=1

a=0,b=0

Preliminary Concepts:Distribution Model
  • Read/Write restrictions (low atomicity model)
    • Assumption: a process cannot write a variable that it cannot read.
  • Example: program p
      • Two processes j, k
      • Two Boolean variables a and b
      • Process j cannot read b, but can read and write a
  • Write restrictions
    • Can we include the following transition in the set of transitions of process j?

a

b

j

k

Write restrictions identify the set of transitions of each process.

preliminary concepts distribution model continued

a=1,b=0

a=0,b=0

Only if we include the transition

a=1,b=1

a=0,b=1

Preliminary Concepts:Distribution Model – Continued
  • Read restrictions
    • Can we include the following transition in the set of transitions of process j?

Groups of transitions (instead of individual transitions) must be chosen.

outline1
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • Step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
synthesis problem
Synthesis Problem

Distribution restrictions

Fault-intolerant

program p

(Masking/Nonmasking/Failsafe)

Fault-tolerant

program p'

Synthesis Algorithm

Specification Spec

Invariant S

Invariant S'

Faults f

Desired level of Fault-intolerance

(Masking/Nonmasking/Failsafe)

  • Requirements
    • No new behaviors are added in the absence of faults.
    • In the presence of faults, p’ provides desired level of fault-tolerance.
outline2
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
theoretical issues step wise automation

Failsafe fault-tolerant

Nonmasking fault-tolerant

Theoretical Issues:Step-Wise Automation

Masking fault-tolerant

[KA00]

Failsafe

Intolerant Program

outline3
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
theoretical issues polynomial time boundary
Theoretical Issues: Polynomial-Time Boundary
  • Complexity: reduction from 3-SAT to the problem of synthesizing failsafe fault-tolerant distributed programs

In general, the problem of synthesizing failsafe fault-tolerant distributed programs from their fault-intolerant version is

NP-complete.

  • Intuitively, the exponential complexity is due to the inability of a process to safely estimate unreadable variables even in the absence of faults (grouping issue).
  • What are the necessary and sufficient conditions for polynomial synthesis of failsafe fault-tolerant distributed programs?
  • Restrictions on
    • The transitions of the fault-intolerant programs
    • Specifications
theoretical issues monotonicity of specifications

Then

x = true

x = true

If

s’0

s’1

Does not violate safety

x = false

x = false

s0

s1

Does not violate safety

Theoretical Issues: Monotonicity of Specifications
  • Definition: A specification spec is positivemonotonic with respect to a Boolean variable x iff:
      • For every (s0, s1) and (s’0, s’1) grouped together due to inability of reading x
theoretical issues monotonicity of programs

x = true

x = true

s’0

s’1

x = false

x = false

s0

s1

Invariant S

Theoretical Issues: Monotonicity of Programs
  • Definition: Program p with invariant S is positive monotonic with respect to a Boolean variable x iff:
      • For every (s0, s1) and (s’0, s’1) grouped together due to inability of reading x

Monotonicity requirements capture the notion that safe assumptions

can be made about variables that cannot be read

theoretical issues monotonicity theorem
Theoretical Issues: Monotonicity Theorem
  • Sufficiency:

if

      • Program is negative monotonic, and
      • Spec is positive monotonic
    • Or
      • Program is positive monotonic, and
      • Spec is negative monotonic

Then

Synthesis of failsafe fault-tolerance can be done in polynomial time

  • Necessity: If only one of these conditions is satisfied then synthesizing failsafe fault-tolerance remains NP-complete.
  • For many problems, these requirements are easily met (e.g., Byzantine agreement, consensus, atomic commit)
theoretical issues an example for monotonicity theorem
Theoretical Issues:An Example for Monotonicity Theorem
  • Dijkstra’s guarded commands (actions)
    • Guard Statement
    • { (s0, s1) | Guard holds at s0 and atomic execution of Statement yieldss1 }
  • Example: Byzantine agreement
    • Safety Specification of Byzantine agreement:
      • Agreement: No two non-Byzantine non-generals can finalize with different decisions
      • Validity: If g is not Byzantine then no non-Byzantine process can finalize with a different decision with respect to g
    • Processes: General, g, and three non-generals j, k, and l
        • d.g : {0, 1}
        • d.j, d.k, d.l : {0, 1, ┴ }
        • b.g, b.j, b.k, b.l : {0, 1}
        • f.j, f.k, f.l : {0, 1}

g

j

k

l

theoretical issues an example for monotonicity theorem1
Theoretical Issues:An Example for Monotonicity Theorem
  • Program actions for process j

d.j = ┴ f.j = 0  d.j := d.g

d.j ≠ ┴  f.j = 0  f.j := 1

  • Fault transitions for process j

¬b.g  ¬b.j  ¬b.k  ¬b.l  b.j := 1

b.j  d.j :=0|1

  • Read/Write restrictions:
    • Readable variables for process j:
      • b.j, d.j, f.j, d.g, d.k, d.l
    • Process j can write d.j, f.j
theoretical issues an example for monotonicity theorem continued
Theoretical Issues:An Example for Monotonicity Theorem – Continued
  • Observation 1: Negative monotonicity of specification with respect to f.j
  • Observation 2: Positive monotonicity of program, consisting of the transitions of j, with respect to f.k
  • Observation 3: Positive monotonicity of specification with respect to b.j
    • The specification does not stipulate anything about the Byzantine processes
  • Observation 4: Negative monotonicity of program, consisting of the transitions of j, with respect to b.k

Synthesis of agreement program that is failsafe to Byzantine

faults can be done in polynomial time.

outline4
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
theoretical issues heuristics

Nonmasking fault-tolerant

Theoretical Issues: Heuristics
  • Heuristic: A strategy for making deterministic decisions to reduce the complexity of synthesis
    • Example: Reuse the structure of nonmasking programs in the synthesis of their masking versions

Masking fault-tolerant

Fault-Tolerance

Enhancement

Intolerant Program

outline5
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
theoretical issues pre synthesized fault tolerance components
Theoretical Issues: Pre-Synthesized Fault-Tolerance Components
  • What if existing heuristics fail?
  • How can we reuse the techniques used in the synthesis of a program, in the synthesis of another program?
  • Can we encapsulate commonly encountered synthesis patterns in terms of pre-synthesized fault-tolerance components?
  • Detectors and correctors are necessary and sufficient in the design of fault-tolerance [AK98]
    • Detectors and correctors have the potential to provide a rich library of pre-synthesized fault-tolerance components

[AK98] A. Arora and S.S. Kulkarni, Detectors and Correctors: A Theory of Fault-Tolerance , IEEE ICDCS 1998.

theoretical issues using pre synthesized components
Theoretical Issues:Using Pre-Synthesized Components
  • If available heuristics fail to add recovery from a deadlock statesd

Automatically specify the required component

  • Extract the component from the component library
  • Verify the interference-freedom of the composition
  • Add extracted component to the fault-intolerant program
theoretical issues pre synthesized components achievements
Theoretical Issues:Pre-Synthesized Components - Achievements
  • Reducing the chance of failure in the synthesis
  • Providing a mechanism for the reuse of synthesis techniques
  • Extending the scope of synthesis problem where the state space is expanded during the synthesis
  • Controlling the way new variables are introduced
outline6
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
practical issues framework goals
Practical Issues:Framework Goals
  • Goals of the framework design
    • Ability to synthesize fault-tolerant programs from their fault-intolerant versions
    • Ability to integrate new heuristics into the framework
    • Ability to change implementation
practical issues synthesis framework
Practical Issues:Synthesis Framework

Library of pre-synthesized fault-tolerance components

Component

specification

Pre-synthesized

detectors/correctors

Synthesis algorithm

p, S, f, spec

Results

Query

p’, S’

Interactive user interface

p, S, f, spec

Results

p’, S’

Query

The user

(Fault-tolerance developer)

Guarded commands,

State predicates

Guarded commands/

Promela,

State predicates

practical issues framework internals synthesis algorithm
Practical Issues:Framework Internals –Synthesis Algorithm

Fault-intolerant program

p, S, f, spec

Interaction points

Initialization

Preserve Invariant

Modify Invariant

Expand the reachability

graph

Calculate a valid

fault-span

Calculate a valid

invariant

Remove bad transitions

Ensure safety

Ensure deadlock freedom

Remove bad states

Ensure deadlock freedom

Resolve non-progress

cycles

Fault-tolerant program

Reachability graph of the

fault-tolerant program

p’, S’

practical issues current status of the framework
Practical Issues:Current Status of theFramework
  • Example synthesized programs:
    • Token ring with 7 processes
    • Byzantine agreement with 4 non-general processes and one general process
    • An agreement program that is subject to both Byzantine and fail-stop faults (1.3 million states)
  • Currently, the framework can
    • handle different types of faults (e.g., process restart, Byzantine, fail-stop)
    • synthesize programs that are simultaneously subject to multiple types of faults
outline7
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
contributions
Contributions
  • Showing the NP-completeness of synthesizing failsafe fault-tolerance
  • Identifying the necessary and sufficient conditions for polynomial-time

synthesis of failsafe fault-tolerance

  • Reusing the computational structure of fault-intolerant programs to reduce the complexity of synthesis (enhancement)
  • Identifying synthesis patterns as pre-synthesized fault-tolerance components
  • Developing a framework for the synthesis of fault-tolerant programs
outline8
Outline
  • Preliminary concepts
  • Synthesis problem
  • Current results
    • Theoretical issues
      • step-wise automation
      • Polynomial-time boundary
      • Heuristics
      • Pre-synthesized fault-tolerance components
    • Practical issues
      • A framework for the synthesis of fault-tolerant programs
  • Contributions
  • Open problems
open problems
Open Problems
  • Theoretical issues
    • Non-monotonic programs/specifications to monotonic ones
      • Extending the scope of the programs that can reap the benefit of efficient automation
    • Necessary and sufficient conditions for simultaneous addition of multiple pre-synthesized fault-tolerance components
    • Necessary and sufficient conditions for polynomial-time synthesis of nonmasking fault-tolerant programs
    • Automated synthesis of multitolerance
open problems continued
Open Problems - Continued
  • Practical issues
    • Distributed synthesis algorithm
    • Symbolic synthesis of fault-tolerance

Distributed Synthesis Algorithm

Verify safety

Y/N

Closure

Y/N

Cycle

detection

Y/N

. . .

SAT solver

SAT solver

SAT solver

open problems continued1
Open Problems - Continued
  • Using model checkers for acquiring behavioral information during synthesis

Distributed Synthesis Algorithm

. . .

SPIN

SPIN

SPIN

publications
Publications
  • Published papers
    • Sandeep S. Kulkarni and Ali Ebnenasir. "Enhancing The Fault- Tolerance of Nonmasking Programs". IEEE ICDCS 2003.
    • Ali Ebnenasir. "Algorithmic Synthesis of Fault-Tolerant Distributed Programs". Doctoral Symposium of ICDCS 2003.
    • Sandeep S. Kulkarni and Ali Ebnenasir. "The Complexity of Adding Failsafe Fault-Tolerance". IEEE ICDCS 2002.
  • Submitted papers
    • Sandeep S. Kulkarni and Ali Ebnenasir. "Adding Fault-Tolerance Using Pre-Synthesized Components". Submitted to CBSE7, ICSE 2004.
    • Ali Ebnenasir and Sandeep S. Kulkarni . "A Framework for Automatic Synthesis of Fault-Tolerance". Submitted to DSN 2004.
    • Sandeep S. Kulkarni and Ali Ebnenasir. "Automated Synthesis of Multitolerance". Submitted to DSN 2004.
thank you
Thank you!

Questions and comments?